Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowQueries for the SentinelAudit table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Display audit logs of failed attempts to update Office365-Sharepoint related Sentinel resources, with an optional filter by caller name and workspace id.
query
SentinelAudit
//| where WorkspaceId == "<WorkspaceId>" // to filter on a specific WorspaceId, uncomment this line
| extend CallerName = tostring(ExtendedProperties.CallerName)
// | where CallerName startswith "<userName>" // to to filter on a specific user, uncomment this line
| where Status == "Failure"
| where SentinelResourceName has "Office365-Sharepoint"
| limit 100
Additional resources
Training